The Girl with the PGP Encryption Programme

Off the Beat: Bruce Byfield's Blog

Aug 06, 2010 GMT

Bruce Byfield

Earlier this week, a neighbor loaned me Stieg Larsson's The Girl With the Dragon Tattoo, the mystery that everyone seems to be reading this summer. Mostly, it's an intelligent light read -- even if the climax does occur three-quarters of the way through-- and the book is very lucky in its translator, Reg Keeland. However, my enjoyment is diminished by the sometimes less than expert treatment of computer security issues

Larsson gets some things right when he discusses computers. His detailed stats for a state of the art Mac in 2005 sound correct to my memory, and his assumption that most people do not protect their computers with a password, much less any other security measures is -- unfortunately -- still true today.

However, when he starts talking about computer security, his touch becomes less sure. For instance, the revelation that the title character is a "hacker" (he means "cracker," of course), is meant to be astounding when it occurs halfway through the book. You can tell, because the sentence that reveals the fact is italicized, and contains one of the rare instances of swearing in the book.

Yet, considering that the title character conducts security investigations for a living, and has a reputation for finding obscure information, any half-aware reader had deduced the fact long before it is revealed. Even five years ago, when computer users were even less security-conscious than they are now, the fact would have been obvious. Yet apparently Larsson assumes that most readers would miss what most IT professionals would find obvious.

Crackers and Magicians

The trouble is not only that Larsson is dealing with issues that he barely understands, but also that he cannot resist the Hollywood touches. His crackers are anti-social Goths, at least one of whom -- the title character -- is described as having Asperger's Syndrome. They break into any computer effortlessly, and juggle money from one account to another in a matter of moments, unhampered by any delays for verification or any other form of security.

In fact, in Larsson's book, "hacker" is almost synonymous with "magician." For instance, one of them who is known as Plague "invented a type of cuff that you fasten around the broadband cable . . . . Everything that [the user] sees is registered by the cuff, which forwards the data to a server."

How this cuff is supposed to work through the cable insulation is not explained. It sounds, though, like a hardware version of a packet sniffer. A few bits at a time, it creates a mirror drive on a server that integrates with the machine's browser.

Soon, the user is "no longer working on his own computer," the title character explains, "in reality he's working on our server. His computer will run a little slower, but it's virtually not noticeable. And when I'm connected to the server, I can tap his computer in real time. Each time [he] presses a key on his computer I see it on mine."

All very well, I can't help thinking, but what if the one being cracked tries to use material that was uploaded from a USB drive or a DVD? From the description, such material wouldn't be on the mirrored drive unless the user uploaded it to a site or sent it as an attachment. For that matter, what happens if Internet service is interrupted or the server the mirror is on goes down?

Similarly, towards the end of the book, the investigative journalist who is the second major character becomes aware that a rival has compromised the network of his magazine. Presumably briefed by the title character, he instructs the staff to install "the PGP encryption programme" so that they can communicate privately.

Besides the stiffness with which PGP is mentioned (which is presumably necessary to tell ordinary readers what it is without stopping for an explanation), what strikes me here is that both the journalist and Larsson seem to forget that the magazine's computers are already compromised. Not only is the fact that the staff are suddenly encrypting email likely to tip off the rival that his activities have been discovered, but what is stop the rival from finding the encryption keys on the hard drive?

The title character makes similar mistakes when she conducts a sting in person. I mean, what is the point of a wig or false breasts or covering your tattoos with makeup if you publicly demonstrate a noticeable talent like a photographic memory?

In the end, the mentions of security, crackers, and PGP are simply there for verisimilitude, to create an illusion of expertise that will convince average readers. All too clearly, too, Larsson is working at the borders of his understanding. That is obvious because, after the discussion of PGP at the magazine, he mentions in an aside that using PGP on a compromised computer is useless. It is as though he sketchily researched security matters, but never absorbed enough of what he learned to notice the major plot hole he created.

Getting Things Right

The majority of readers, I am sure, are content with equating cracking with magic, and never notice when Larsson strains credulity or makes mistakes. So why point out the lapses?

For one thing, the lapses make clear that Larsson did not always do his job. Getting the details right, even when relatively few people will notice, is a matter of artistic integrity, of doing the job properly. Most novelists don't want to distract even a few readers from their story if they can possibly prevent it. Moreover, by learning enough, writers can often improve their plots or correct errors.

More importantly, for those who make a career out of computers, popular references to technical issues are an indicator of exactly what the general public knows (not much, apparently). Personally, I felt mildly pleased to see PGP mentioned in a bestselling paperback, but I would have been far more thrilled -- and less distracted from the story -- if Larsson had got his technical references correct.